Your airplane was just hacked

Having already made way to the world of home appliances, ordinary information security pains sneak into aviation.

Notorious security incidents involving massive cyberespionage campaigns, hacks performed by stunningly skilled and cunning cybercriminals, leaks of tens of millions customer credentials and even intrusions into uranium enrichment facilities that are even disconnected from the Internet have been constantly heard of lately. With the world becoming increasingly interconnected, once you become lax with information security, this might cost your personal data, money, reputation, or even national security. Now when ‘Internet of Things’ is gaining traction around the world, projected to add up to 50 billion new connected devices by 20201, you should seriously consider the probability of not being admitted into your smart home, or struggling to turn off your sound system which suddenly went berserk in the dead of the night, or getting a higher insurance plan because of the fitness band transmitting your health data to some sticky-fingered insurance companies. It is obvious that ‘Internet of Threats’ is also evolving around this new reality of permanently connected ecosystem of devices and appliances.

One of our infosec customers, Intel Security, has recently discussed this trend during the interview for Computerworld. As stated by Pavel Eyges, Intel Security’s general manager in Russia, current layered information security paradigm is bound to become extinct in a matter of several years: due to the proliferation of connected IoT devices and the associated 1000x ‘data deluge’, current networks would not be able to analyze traffic emitted by each of the devices the way firewalls and IPS systems do so for existing PCs, workstations, servers, or any other kind of terminal devices. Also, the majority of IoT devices – fitness bands, connected fridges, microwaves, or smart locks – would be limited in terms of computing power and would not allow setting up a separate elaboration of an antivirus for each type of the connected device.

What awaits us ahead is indeed a gloomy reality of threats in every aspect of everyday living, unless the approach to the security of this abundance of things is fundamentally changed. Several weeks ago a curious case marked, in some respect, a 9/11 for the infosec industry: Chris Roberts, an American security researcher, was stopped on his way to a security conference questioned by FBI for allegedly hacking a United Airlines plane he was travelling with.

Having got on board, Roberts tweeted that he was about to infiltrate the aircraft’s systems, pull oxygen masks and ‘play’ with the cockpit controls. Being obviously a joke, as the on-board multimedia and Wi-Fi systems and the cockpit are absolutely isolated from each other, this tweet was noticed by a United’s SMM manager who took it as his responsibility to contact FBI.

Roberts have been held for questioning for four hours, and his devices were confiscated for the time of investigation. The researcher claimed that he meant no harm and just tried to make Federal Aviation Association (FAA) pay attention to the underestimated infosec issues in aviation. Later FBI agents revealed the record of his questioning where Roberts admitted he was able to get access to cockpit controls through the on-board multimedia system and even managed to make the airplane ‘fly sideways’ for some moments. Whether these allegations are valid or not (it was later found out that the attempt to take over control over the aircraft was in fact performed on the simulated, not real-life, airplane environment). The investigation still continues, pending analysis from aircraft engineers at Boeing who are not empowered to clarify the probability of the airplane hack due to NDA, which they signed, ironically, due to security reasons.

Although the odds of this type of hack actually taking place are close to zero, the industry was shaken to the core. United has forbidden Roberts to ever set foot onto its airplanes, and then, trying to cope with the public pressure, launched the aviation’s first ever bug bounty program – limited exclusively to web/app vulnerabilities and restricting any attempts to tamper with on-board systems, even for research purposes. Meanwhile US Federal Trade Commission blamed FAA for lax security with regards to on-board Wi-Fi networks, calling for better threat mitigation across the industry. FBI still holds Roberts’ belongings for examination.

Why this seemingly absurd incident gained so much traction could be explained by the following reasons. Aviation is the industry which treats security of passengers as its cornerstone. When there’s a tiniest probability that even something very unlikely undermines the highest standards of aviation security, this issue should be solved. Low transparency of the on-board systems combined with common tendency to aerophobia contributed to a certain degree of anxiety: after all, your life is not just a credit card. For IT, which steadily becomes a commodity on board, the aviation is terra incognita which requires better regulation and standardization practices. And, last but not least, in the wake of the plans of Boeing and Honeywell to massively deploy a new remote flight control system, the problem of information security is more and more pronounced. In the event of either hijacking or both pilots’ inability to continue piloting, the new autopilot system will enable ground systems to take the control over the aircraft from the ground just the way it is done with drones. With this new reality in mind, the current state of information security in aviation is abysmal. Where there is a connection, there is a way to tamper with it or intercept it – it is not the question of ‘if’, it’s a questions of ‘when’. Probably, we will see the emergence of new, exotic and even more impactful threats we will need to mitigate by changing the principles of information security today.